CVE-2021-41072: New Directory Traversal Vulnerability in Squashfs-Tools 4.5 - A Closer Look at squashfs_opendir in unsquash-2.c

A new vulnerability, distinct from the previously disclosed CVE-2021-40153, allows for directory traversal in Squashfs-Tools 4.5. This vulnerability is assigned as CVE-2021-41072 and primarily affects the squashfs_opendir function in unsquash-2.c. An attacker can exploit this vulnerability by crafting a squashfs filesystem with specific symbolic links and file structures, causing unsquashfs to first create a symbolic link pointing to an unexpected directory, then perform a write operation through the symbolic link to another location in the filesystem. In this post, we will delve into the details of this vulnerability, examine the code snippet where the issue occurs, and provide links to the original references.

Code Snippet

The vulnerability can be found in the squashfs_opendir function of the unsquash-2.c file in Squashfs-Tools 4.5. Here's a relevant code snippet from the unsquash-2.c file that highlights where the vulnerability exists:

squashfs_inode id;
long long directory_start_block;
unsigned int offset, directory_offset, size;
struct inode *i;
int squashfs_opendir(const char *pathname, struct squashfs_dir_entry **_dirent, struct path_entry *parent)
{
    ...
    if(squashfs_follow_path(fd, root, pathname, &id, &i, parent) == FALSE)
        goto error;
    directory_start_block = SQUASHFS_INODE_BLK(id);
    offset = SQUASHFS_INODE_OFFSET(id);
    directory_offset = squashfs_read_data(fd, NULL, directory_start_block, offset, &size, &overflow, !MSDOS_SWAP, sizeof(int));
    ...
}

Exploit Details

To exploit this vulnerability, an attacker would create a malicious squashfs filesystem containing a symbolic link and file contents under the exact same filename. When the unsquashfs utility is used to unpack the malicious filesystem, it first creates the symbolic link that points to an unexpected directory outside the intended extraction path. Afterward, when unsquashfs performs a write operation, it writes through the symbolic link, ultimately storing data in an unintended location within the filesystem.

The potential impact of this vulnerability includes unauthorized access to sensitive information, data corruption, or other forms of system compromise, depending on the affected environment and the privileges held by the unsquashfs process.

Original References

- CVE-2021-41072: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41072

- Squashfs-Tools official repository: https://github.com/plougher/squashfs-tools

- CVE-2021-40153 (previous, related vulnerability): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40153

Conclusion

CVE-2021-41072 highlights a new directory traversal vulnerability within Squashfs-Tools 4.5, specifically affecting the squashfs_opendir function in unsquash-2.c. It is crucial for developers and system administrators using Squashfs-Tools to stay informed about this vulnerability, apply any necessary patches or updates, and maintain robust security practices to prevent exploitation. By understanding the underlying code and exploit details, as well as referring to the original references, we can better defend our systems against such threats.

Timeline

Published on: 09/14/2021 01:15:00 UTC
Last modified on: 05/30/2023 06:15:00 UTC